Science and technology

Internet routing

Safe passage

IMAGINE being in your seat on a flight from Houston to Manchester. After the plane takes off, the pilot announces that he has just been radioed to modify the flight path—through Beijing, say. The pilot doesn't know who told him to change course, but he follows his instructions anyway. On the layover in Beijing you might be left alone. Alternatively, you may be frisked and all your documents photocopied. Either way, it is all rather tedious.

Of course, airlines and passengers would never stand for such treatment. Yet this is precisely how data packets shuffle between networks that make up the internet. Fortunately, computer scientists at Carnegie-Mellon University (CMU) have come up with a clever way to eliminate the flaw. What is more, their solution could be introduced piecemeal in a manner that would not require a co-ordinated effort by everyone connected to the vast global network.

At present, there are over 200,000 independently operated networks, known as autonomous systems, which know how to shunt packets around the internet. Getting from a Comcast network in Houston to a BT network in Manchester, for instance, might require three or four intermediate hops. Autonomous systems constantly receive new routing instructions from the others—without much in the way of verification. That means that each autonomous system has to carry a constantly updated list of over 200,000 entries, where an individual entry contains the next stop required to move data from that autonomous system to one of the others.

Autonomous-system routers can typically choose from multiple paths to dispatch data packets to their destination. They may choose the cheapest, fastest or least congested. As a result, malicious, incompetent or accidental changes to the table of router entries can wreak havoc by, for example, letting mischief-makers hijack information. Anyone running a gateway that talks this routing language can publish incorrect paths, intentionally or otherwise. In April 2010, for instance, China Telecom told other routers to shift roughly 10% of the internet's pathways through its kit. The incident lasted about 18 minutes; the volume and nature of the re-routed data remain a mystery. At the time China denied this was a "hijack", but many observers were not satisfied with its explanations. Two similar events involving China have occurred since then. One in March affected just paths leading to Facebook.

The CMU researchers' proposal is known as SCION (which expands, rather ponderously, to Scalability, Control and Isolation on Next-generation Networks). The details may be abstruse, but the general idea is relatively straightforward. To start with, says Adrian Perrig of CMU, you need to create explicit domains of trust. Any independent network would be free to choose which other networks it wants to trust in a close embrace. Such high trust would not, however, be transitive. In other words, if a network belonged to two groups, its neighbours in one of them would not automatically trust its neighbours in the other simply by dint of having a mutual member. According to the proposal trust domains would comprise networks that operate under the same law and are bound by some form of binding agreement. That way, Dr Perrig notes, if a breach of trust occurred, there would be legal recourse.

Each time a member network sought to connect to another one in the trusted domain, it would still have to present a cryptographic signature as proof of identity. So far, that just seems like a method to secure groups of networks. Where SCION becomes more useful, and reduces complexity by an enormous degree, is when a router on a network wants to transfer data outside its closely trusted grouping.

Rather than remembering 200,000-odd entries, each one corresponding to each of the other networks, a network router in a trusted domain knows just a couple of facts. First, how to reach the very top of the routing hierarchy at the internet-transit service the network's owner subscribes to. That allows a network to rely on its transit provider to reach anywhere else in the world. Second, replacing those hundreds of thousands of entries are just a handful of pathways that tell a router how to pass packets along to a small number of neighbours which a domain has agreed to trust. It is as a pilot taking off from Houston would only know a handful of trusted airports at which he could land en route to Manchester. He would have no directory of all worldwide airports to consult, and the air routes to get there. On landing at the layover, he would plot the next step to Britain.

The trusty neighbours might be all the networks that agree to interconnect at a given network exchange point, or networks located far apart but which have close affinity, such as academic institutions, which have established direct links that bypass the public internet. The transit providers would then ensure that the connection is safe by using their own trusted routers. If an outsider tried to convince a trust domain to route information via an unknown path such requests would simply go unheeded. The new system would ensure that traffic meant to pass between trusted domains never went astray.

Such a structure can also be extended to make specific and fixed paths across the internet between networks, allowing virtual internets to be securely built without disturbing the existing networks. In the current set-up it is impossible to know precisely how packets will flow, Dr Perrig says. SCION would provide a clearer picture. And trusting only one's select neighbours prevents accidental network disruption. A typo in a (manually pecked) entry for a set of routes, for example, would not have the potential to take down large portions of the internet, route traffic to dead ends or overload equipment—all of which can happen today. "Even if you make a mistake in SCION, you won't mess up other peoples' traffic," assures Dr Perrig.

SCION requires much less computational power to operate, because a gateway using its approach need only look at a handful of entries, rather than analyse hundreds of thousands. Dr Perrig says this would reduce the cost of kit, and make SCION feasible for optically switched networks in which current route computation is just not possible. SCION can also be run in software without specialised chips.

The system is currently in the lab. Even if it got out, it is far from assured that it would be widely adopted. Many internet overhauls have been floated to little avail. That said, some require building a brand-new network infrastructure. SCION could be run over the existing internet. Independent networks could add SCION gear and fire up SCION links among trusted neighbours one route at a time.

The real question, though, is whether router manufacturers would embrace the change. SCION requires less powerful, and thus less expensive, hardware to operate. Makers of such hardware might not find that too appealing, even if their customers do.

Actually, to try answer your questions in a general manner, the point of the packet routing system underlying the internet is to create a self-routing self-repairing network that can survive the loss of large chunks of itself in a nuclear war.

That's the "200,000" number in the post above -- the number of disparate entities responsible for "a chunk" of the internet. Those companies are varied and have disparate business models -- some are big ISPs and telcos, some are big destinations.

Generally, you pay as either someone who needs more incoming bandwidth than outgoing (if you're a small isp with only retail customers, say), the reverse (if you're a big destination with little internal use), or someone who will be able to "peer" equally with the rest of the internet traffic. Peer players build out their own infrastructure and decide for themselves where their outgoing connections will attach. Each player's "interest" is based on their business model's data needs, so it's not super easy to get them to conflict.

If any one big peer went down, the system automatically reroutes your packets along whatever routes are still open. That's the underlying basis of the original technology.

And while nobody is responsible for "fixing the whole internet," if somehow they all went down, then each peer would be scrambling to get their own infrastructure back up to service their business model. Once you have even a few peers back up on their backbones and talking to each other, the "internets" start working again for anyone who can manage to get their packets into the network.

All the underlying technology is nicely designed to not need a central command and control system that would be vulnerable to a single fail event (nuclear or otherwise), but nobody thought about the spying/censorship implications at the time. Realistically, nobody was thinking about business models at all, at the time. "The internet" was a DARPA project for military networks that then got extended to academia and that only much later was made open to the public.

Where you start to wander into conflicts of interest, et al, is when the technology starts to actually interact with humans. "Business models" may have conflicts of interest in them, I've tried to avoid that space and only talk about the tech.

Equally, however, the central-command-and-control-system for the choosing of human readable names (ICANN) is often roundly criticized for its decisions seemingly based on western politics.

@Artemio Cruz IPv6 would still use the current system (BGP) to route packets between networks, so it would still be prone to problems listed in the article. Its advantage is that the packets would all be encrypted and the packets themselves are a bit simpler than IPv4, so easier to route. SCION is supposed to replace BGP amongst trusted networks. Of course, you could also have IPv6 via SCION...

The internet arose from a DARPA initiative to create a network that could survive attack. So, yes, technically the internet is immune to attack. The price is the kind of complexity that the necessary autonomy introduces as the article describes. As the internet itself is essentially just the observed phenomenon of lots of networks connected you can never either shut it down or restart it. As soon as two networks connect using IP you have an internet.

The business model for providers is charging for wholesale access - Equant, et al charge ISPs to use their networks. Peering arrangements exist to reduce the need for micro-billing but networks do occasionally drop peering with other networks if they think there is too much one way traffic, eg. when lots of people from the same network stream video from the same source.

@Babbage - what are the differences between the proposed system and the improvements to routing that are part of IPv6?

No, the internet has no single point of failure. DDoS attacks can stress parts of the internet as can DNS floods but the IETF is fairly well-equipped to deal with such. Because most of the internet simply uses the protocols it is outwith the US army's influence. So, parts of it might go down, or, at least be less reliable but it is pretty nigh impossible to take it all down. Well, I suppose an EMP of sufficient magnitude could but that would take pretty much every IC based technology with it. We wouldn't really be that worried about the internet in such a situation! The whole point of the "autonomous devices" is that they are exactly that. Sure, some of the Cisco or Juniper stuff might have CIA-controlled software in them but they are only part of the picture. There have been rumours about some backdoors installed in *BSD despite source code analysis but the current hodge-podge makes a total VUIE (Violent Unknown Internet Event) unlikely. It does, however, remain a distinct possibility to take down or poison parts, such as countries.

September 11th, 2011 saw a largely unintentional attack on the internet because the main transatlantic IX was under the two towers. There was a backup, under the next building... Anyway, I remember vividly how IP-traffic was affected that day with Europe-USA traffic rerouted vis Asia. Websites were a problem but e-mail was fine. Since then we've gained more in capacity and routes than we have in traffic, streaming excepted.

I was prepared to answer the questions, Cornish expat, but I see mig*4 has already done so in an exemplary fashion.

The advantage of SCION would also reducing the likelihood of widescale disruption due to other causes—such as a massive natural disaster. The BGP protocol on which routers rely doesn't self-heal as such, and routers may continue to try to route through dead links until manual intervention occurs. But with multiple routes, data tends to get through.

This raises, for me two (very basic) questions about the internet, which has become fundamental to the world economy and society:

1. How does the internet get paid for? I know I pay a monthly fee to me ESP, but if there are "200,000 independently operated networks", what are their business models? Is there competition and if so how does it work? Who owns and operates the cables and what are their economics? It is all completely opaque to me, but given the absolute need for a reliable network, it could be critically important.

2. Are there conflicts of interests between network owners, between cable owners and between networks and cables?

3. In the event of a complete failure, who is responsible for restarting the system?

4. Is the internet "hardened" against accident, military attack or major environmental events? Who would be responsible for performing failure modes and effects analyses?

Another example of the insecurity of routing was when Pakistan Telecom managed to block access to YouTube worldwide in 2008, when they were trying to enforce a government ban on YouTube within Pakistan:

You have answered many of my concerns, but it seems to me that, because the net was set up by some brilliant people, the assumption is that it is fool-proof. I am not so sure. Lovely expressions like "redundant capacity" and "graceful degradation" can lull you into a false sense of security. (Look what happened - is happening - to the financial system. Nobody seems to have seen that coming either.) A few possible, but unlikely, doomsday-ish scenarios:

1. Physical attack on key communications points take down multiple long distance links simultaneously.
2. Software attack swamps the entire internet's capacity.
3. Solar flares knock out satellite and some ground-based links.
4. I understand that US military hardware may be being exported with hidden software with which the US can disable it. Could a villain insert similar software in routers? (The Goldfinger scenario.)
And so on.

I hope and trust that governments are taking the need for FMEA seriously, but I wonder.

I think the change will happen, sooner than later. It may cost more, but it is an advance in technology which seems like the next step, the soon to be standard. the manufacturers may not be willing to change right away, but as long as the demand gets stronger from their customers the change will most likely happen. It is the customers that are allowing these manufactures to make profit.

Not being in the field I can almost understand the rationale. The topic relates to corporate, government and anarchist/hacker fiddling with the free flow of information. Being in Thailand, a country that regularly censors the internet, I fear that I might lose access to the majority of internet sources under the proposal. Yet I would be the first to say that the routers in China and Thailand are not "safe" or trustworthy. I look forward to reading more on this proposal, for at least I recognize the problem. Thank you

I wonder if implementing SCION would change the business models of current ISPs. I envision them charging premiums for data delivered over the SCION network for reasons even the discerning customer won't understand and claiming it's for safety or something similar. I always become wary when I hear of something that will require businesses to Trust one another - perhaps I'm cynical but in today's world all that means to me is the customer suffers. I could see this model potentially being more susceptible to government control, because a dozen trusted connections is easier to legislate than 200,000 raw possible connections.

This change will most likely happen closer to the near future then it will later on in the timeline. The rate that the technologies are being and developed shows no stopping in the progress of internet routing. Companies like SCION show great advances in these technologies and I feel as if that in the near future the public will notice the shift.

Cost should obviously be considered, but the internet is an indispensable resource so any money spend will have been for a good reason. You've got to think, in the broad spectrum of things, the extra money wouldn't make a huge difference if it wasn't spent in this field because it would most likely go towards a source that isn't as frequently used or is as necessary. Spend the money if needed.